push-gate
Installation
SKILL.md
Push Gate
Formalised pre-push safety check. Runs before every git push <remote> where the remote is not a local file path. Refuses on secret hits; warns on size/forbidden-file; confirms intent before pushing.
Use this skill whenever the user asks to push, or before Claude runs git push to any remote. Complements git-ops (which handles the push itself) — this is the gate that runs immediately before.
Hard rules
- Gitleaks is a required dependency. If not installed, emit the install instructions and refuse. Do not silently fall back to regex-only.
- Any secret-scanner hit ⇒ refuse. No bypass flag. Force the user to rewrite history and re-invoke the gate.
- Never
--forcepush. The gate never passes a force flag. If the user needs to force-push, that's a separate conversation with explicit authorization. - Never
--no-verify. Don't skip hooks. - Working tree must be clean. Refuse on dirty tree (uncommitted work could be accidentally stashed into the push flow).
- Remote must be named. Refuse if
git pushis called without an explicit remote and branch.